FedRAMP

The U.S. Federal Government established the Federal Risk and Authorization
Management Program (FedRAMP), a government-wide program that
provides a standardized approach to security assessment, authorization, and
continuous monitoring for cloud products and services. All Federal agency cloud
deployments and service models, other than certain on-premises private clouds,
must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate,
or High).

Google Cloud maintains a FedRAMP High provisional authority to operate (P-ATO)
from the FedRAMP JAB for 17 Google Cloud products in 5 regions. We also maintain a
Moderate provisional authority to operate (P-ATO) for 64 Google Cloud Platform
(GCP) products in 17 regions and a Moderate authority to operate (ATO) for 27 G
Suite products.

Customers seeking FedRAMP compliance should only run their workloads in the following FedRAMP-authorized regions

Expand All

Region

High Baseline

Moderate Baseline

Oregon (us-west1)

X

X

Los Angeles (us-west2)

X

X

Salt Lake City (us-west3)

X

X

Iowa (us-central1)

X

X

South Carolina (us-east1)

X

X

Northern Virginia (us-east4)

X

X

Montreal (northamerica-northeast1)

X

Sao Paulo (southamerica-east1)

X

Belgium (europe-west1)

X

London (europe-west2)

X

Frankfurt (europe-west3)

X

Netherlands (europe-west4)

X

Finland (europe-north1)

X

Mumbai (asia-south1)

X

Singapore (asia-southeast1)

X

Taiwan (asia-east1)

X

Tokyo (asia-northeast1)

X

Sydney (australia-southeast1)

X

FAQs

How can I get FedRAMP compliance for my solution that uses Google Cloud?

FedRAMP allows for varying levels of inheritance for cloud service providers
(CSPs) using FedRAMP-authorized infrastructure, platforms, and services. This
initial analysis of control vs. inheritance will ultimately determine how much
compliance responsibility you will hold as a CSP. For example, if your
organization prefers to build the entire stack of your application, you will
also create more customer responsibility/obligation during evaluation by your
Authorizing Official. If you use Platform as a Service or Software as a Service,
there is likely to be a lesser compliance burden.

Once you have selected your FedRAMP-authorized services, Google can help you
configure your solution through service-specific configuration guides or direct
engagement with FedRAMP experts in our
Professional Services organization.

How does Google offer FedRAMP-authorized services when it doesn’t have a GovCloud offering?

Google is one of the first hyperscale commercial cloud providers to achieve
FedRAMP High on a commercial public cloud offering, and is one of the largest
providers of FedRAMP services available on the market today. In the past,
hyperscale providers have separated their “govclouds” from their commercial
cloud offerings to meet FedRAMP High requirements. This resulted in degraded
service offerings, lower service availability, and higher operational cost.
GCP’s FedRAMP High authorization enables government agencies processing high
impact workloads to adopt technology at a much higher velocity and at the same
scale as commercial customers. It also provides a much-needed boost to
competition in the US Government’s public cloud market, giving the public sector
a greater range of choices in technology mix and cloud providers than ever
before with plans to continue expanding the authorized product offerings.

FedRAMP terms and conditions flow down from our public sector procurement
partner, Carahsoft, so if you are interested in FedRAMP on Google Cloud, please
contact them
here.